Messages

1

Virtual private networks / Re: Wireguard multiple WAN ports

« on: January 30, 2023, 07:16:56 pm »

They block port and ip, and they don't care if they would block 443 for me at all.

And that was my question how multiple WG server instances work as I couldn't get it running.
My preference would be to have multiple external ports open that all route to the same port on
the OPNsense to the same WG server instance.

2

Virtual private networks / Re: Wireguard multiple WAN ports

« on: January 30, 2023, 05:01:03 pm »

This wouldn't solve my problem as they would block port 443 then.
That's why I want to use ports 80, 443, 53 and some more.
If they block one port, I just use another one until the first one is released.

3

Virtual private networks / Wireguard multiple WAN ports

« on: January 28, 2023, 11:39:22 pm »

I'm often in Dubai, VPN is legal but often filtered in Hotels.
I have a Wireguard server running on OPNsense and it's working great but sometimes in the Hotels they start blocking this port. So as an alternative I wanted to add more ports I can use as fallbacks.

First try was to clone the whole Wireguard server with all assigned endpoints.
They get new interfaces wg1 to wg3 but don't appear in the interfaces overview.
Only when I create a new server and not clone one.
So I thought a new config makes more work and I tried to go to the firewall and
and route all ports 51821 to 52825 to the same local port 51820 so Wireguard is working.
I could get it working, so any hints if this is even possible would be helpfull.

4

22.1 Legacy Series / Re: openssl vulnerabilities CVE-2022-0778 -> needed version 1.1.1.n

« on: March 16, 2022, 09:45:24 pm »

...switch to LibreSSL (as long as it's still there) ;-)

LibreSSL ist affected by the same bug.

5

22.1 Legacy Series / Warnings while updating to 22.1.1_1 from 22.1

« on: February 17, 2022, 10:33:56 pm »

I installed the update from the Web UI and got some messages but the update rebooted to fast.
When I do a health check, I get this missing dependencies. What should it do?
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

6

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 11, 2021, 03:23:02 pm »

I don't really understand one thing.
Our servers only deliver the server certificate, no intermediate certificates. But in OPNsense we have the root, intermediate and server certificates imported. So what you say is that it should have worked already but it didn't.

7

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 02:22:00 pm »

Old phones are old and there is a reason they should be dead and not working, especially when it comes to certificates.

8

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 10:03:56 am »

Thanks. That worked.
I didn't read it in the changelogs, is it new or was it changed?

9

21.7 Legacy Series / LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 09:51:42 am »

I've installed 21.7.4 update yesterday and the OpenVPN clients with AD authentication cannot connect anymore.
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.

Code: [Select]

The following input errors were detected:

    Authentication failed.
    error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
    ldap_error: Can't contact LDAP server
I have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?

10

21.7 Legacy Series / Re: 32 character limit in firewall aliases. Can it be increased?

« on: July 23, 2021, 10:08:16 am »

Here is the link to the bugtracker
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257270

The bug was closed because it cannot be changed.

11

General Discussion / Re: OpenVPN Server multiple encryption algorithms/ciphers

« on: April 16, 2021, 01:12:59 pm »

Thanks for the fix.
For the next time I will post it on GitHub

12

General Discussion / Re: Bug in HAProxy "Save & Test syntax"?

« on: April 06, 2021, 11:08:16 pm »

There is another error if you just press Save when HAProxy is disabled.
There is definitely something wrong.

13

General Discussion / Bug in HAProxy "Save & Test syntax"?

« on: April 04, 2021, 10:40:02 am »

I have configured some real server, backend pools, public services, conditions and rules.
If HAProxy is enabled, the "Save & Test syntax" is working.
If HAProxy is disabled, I get a lot of warnings.

Code: [Select]

HAProxy config contains critical errors
[NOTICE] 093/103813 (88702) : haproxy version is 2.2.11-c58c4e4
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:9]: unknown keyword 'uid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:10]: unknown keyword 'gid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:11]: unknown keyword 'chroot' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:12]: unknown keyword 'daemon' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:13]: unknown keyword 'stats' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:14]: unknown keyword 'nbproc' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:15]: unknown keyword 'nbthread' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:16]: unknown keyword 'tune.ssl.default-dh-param' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:17]: unknown keyword 'spread-checks' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:18]: unknown keyword 'tune.chksize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:19]: unknown keyword 'tune.bufsize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:20]: unknown keyword 'tune.lua.maxmem' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:21]: unknown keyword 'log' out of section.
[ALERT] 093/103813 (88702) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] 093/103813 (88702) : Fatal errors found in configuration.

This happens because the config is invalid when I disable HAProxy

Code: [Select]

#
# NOTE: HAProxy is currently DISABLED
#global
    uid                         80
    gid                         80

You can see that just global is commented.
Isn't there a better way to enable/disable HAProxy?
Doesn't sound like a good solution to need to enable HAProxy to test the syntax.

14

General Discussion / Re: OpenVPN Server multiple encryption algorithms/ciphers

« on: April 02, 2021, 10:29:38 pm »

The answer is easy, our employees are out the whole week at customers sites and they only allow standard ports at the firewall or we had long discussions with them to allow our ip/port for OpenVPN.
We don't want to start over again.

15

General Discussion / OpenVPN Server multiple encryption algorithms/ciphers

« on: April 02, 2021, 09:37:03 pm »

On the OpenVPN server settings, I can select ONE encryption algorithm.
Some years ago, I have select AES-256-CBC, but the current client logs a warning that this algorithm will be deprecated in the future.
Now I want to migrate slowly to a better algorithm AES-256-GCM as suggested by OpenVPN but I have a lot of users I cannot change immediately.
My idea is to select the new and the old algorithm so new and old configs can connect and in 6 months, I can turn off the old algorithm.
Since OpenVPN 2.4, this is possible, but I cannot do it in the GUI. Can you change that?
Is it possible to configure it on the command line?